Support Questions

Find answers, ask questions, and share your expertise

Can HDCloud be created only in VPC?

avatar

It appears that HDCloud can be created only on AWS VPC. What about AWS public cloud? Is this a limitation?

1 ACCEPTED SOLUTION

avatar

@Vivek Sharma

Amazon Virtual Private Cloud (Amazon VPC) enables you to provision a virtual private cloud (VPC), an isolated area within AWS where you can configure a virtual network, controlling aspects such as private IP address ranges, subnets, routing tables, and network gateways. HDCloud requires a VPC, and is therefore limited to the AWS private cloud.

From the Network and Security section of the current Hortonworks Data Cloud documentation:In addition to the Amazon EC2 instances created for the cloud controller and cluster nodes, Hortonworks Data Cloud deploys the following network and security AWS resources on your behalf:

  • An Amazon VPC configured with a public subnet: When deploying the cloud controller, you have two options: (1) you can specify an existing VPC, or (2) have the cloud controller create a new VPC. Each cluster is launched into a separate subnet. For more information, see Security documentation.
  • An Internet gateway and a route table (as part of VPC infrastructure): An Internet gateway is used to enable outbound access to the Internet from the control plane and the clusters, and a route table is used to connect the subnet to the Internet gateway. For more information on Amazon VPC architecture, see AWS documentation.
  • Security groups: to control the inbound and outbound traffic to and from the control plane instance. For more information, see Security documentation.
  • IAM instance roles: to hold the permissions to create certain resources. For more information, see Security documentation.

If using your own VPC, make sure that:

  • The subnet specified when creating a controller or cluster exists within the specified VPC.
  • Your VPC has an Internet gateway attached.
  • Your VPC has a route table attached.
  • The route table includes a rule that routes all traffic (0.0.0.0/0) to the Internet gateway. This routes all subnet traffic that isn't between the instances within the VPC to the Internet over the Internet gateway.

Since the subnets used by HDC must be associated with a route table that has a route to an Internet gateway, they are referred to as Public subnets. Because of this, the system is configured by default to restrict inbound network traffic to a minimal set of ports. The following security groups are created automatically:

  • The CloudbreakSecurityGroup security group is created when launching your cloud controller and is associated with your cloud controller instance. By default, this group enables HTTP (80) and HTTPS (443) access to the Cloud UI and SSH access from the remote locations specified as "Remote Access" CloudFormation parameter.
  • The ClusterNodeSecurityGroupmaster security group is created when you create a cluster and is associated with all Master node(s). By default, this group enables SSH access from the remote locations specified as "Remote Access" parameter when creating the cluster.
  • The ClusterNodeSecurityGroupworker security group is created when you create a cluster and is associated with all Worker node(s). By default, this group enables SSH access from the remote locations specified as "Remote Access" parameter when creating the cluster.

See the Ports section of the Security documentation for information about additional ports that may be opened on these groups.

View solution in original post

5 REPLIES 5

avatar

@Vivek Sharma

Amazon Virtual Private Cloud (Amazon VPC) enables you to provision a virtual private cloud (VPC), an isolated area within AWS where you can configure a virtual network, controlling aspects such as private IP address ranges, subnets, routing tables, and network gateways. HDCloud requires a VPC, and is therefore limited to the AWS private cloud.

From the Network and Security section of the current Hortonworks Data Cloud documentation:In addition to the Amazon EC2 instances created for the cloud controller and cluster nodes, Hortonworks Data Cloud deploys the following network and security AWS resources on your behalf:

  • An Amazon VPC configured with a public subnet: When deploying the cloud controller, you have two options: (1) you can specify an existing VPC, or (2) have the cloud controller create a new VPC. Each cluster is launched into a separate subnet. For more information, see Security documentation.
  • An Internet gateway and a route table (as part of VPC infrastructure): An Internet gateway is used to enable outbound access to the Internet from the control plane and the clusters, and a route table is used to connect the subnet to the Internet gateway. For more information on Amazon VPC architecture, see AWS documentation.
  • Security groups: to control the inbound and outbound traffic to and from the control plane instance. For more information, see Security documentation.
  • IAM instance roles: to hold the permissions to create certain resources. For more information, see Security documentation.

If using your own VPC, make sure that:

  • The subnet specified when creating a controller or cluster exists within the specified VPC.
  • Your VPC has an Internet gateway attached.
  • Your VPC has a route table attached.
  • The route table includes a rule that routes all traffic (0.0.0.0/0) to the Internet gateway. This routes all subnet traffic that isn't between the instances within the VPC to the Internet over the Internet gateway.

Since the subnets used by HDC must be associated with a route table that has a route to an Internet gateway, they are referred to as Public subnets. Because of this, the system is configured by default to restrict inbound network traffic to a minimal set of ports. The following security groups are created automatically:

  • The CloudbreakSecurityGroup security group is created when launching your cloud controller and is associated with your cloud controller instance. By default, this group enables HTTP (80) and HTTPS (443) access to the Cloud UI and SSH access from the remote locations specified as "Remote Access" CloudFormation parameter.
  • The ClusterNodeSecurityGroupmaster security group is created when you create a cluster and is associated with all Master node(s). By default, this group enables SSH access from the remote locations specified as "Remote Access" parameter when creating the cluster.
  • The ClusterNodeSecurityGroupworker security group is created when you create a cluster and is associated with all Worker node(s). By default, this group enables SSH access from the remote locations specified as "Remote Access" parameter when creating the cluster.

See the Ports section of the Security documentation for information about additional ports that may be opened on these groups.

avatar

@Dominika Bialek to review this answer

avatar

@Vivek Sharma If this answer helps, please accept it. Otherwise, I'd be happy to answer any remaining questions you have.

Thanks! _Tom

avatar

Hi @Vivek Sharma What do you mean by "AWS public cloud"? You have an option to launch HDCloud in your own custom VPC that can be configured according to your needs. See https://aws.amazon.com/vpc/. What else do you need?

avatar

Thanks @Dominika Bialek and @Tom McCuch

By AWS public cloud, I mean EC2-Classic.